+ All Categories
Home > Documents > conceptual framework document - ITU: Committed to ... Global Cybersecurity Index ... sanctions for...

conceptual framework document - ITU: Committed to ... Global Cybersecurity Index ... sanctions for...

Date post: 11-Mar-2018
Category:
Upload: nguyendan
View: 214 times
Download: 1 times
Share this document with a friend
13
Conceptual Framework Information and communication technologies (ICT) are the driving force behind the evolution of modern societies. They underpin the social, economic and political growth of individuals, organizations and governments alike. ICTs have become not only ubiquitous, but essential for progress. Smart devices, M2M communications and cloud-based services, among many other technologies, are advancing the next-generation of networked societies. Digital technology and internet connectivity are being systematically integrated into all verticals of the private and public sectors because they offer significant advantages: productivity, speed, cost-reduction and flexibility. As a result, ICTs are progressively being deployed in new platforms, such as retail RFID systems and vehicular telematics for example. But more significantly, they are being used to upgrade critical infrastructures, including energy grids, transport networks and healthcare systems. Cybersecurity is paramount for sustaining a technologically-sound model. The disruption of electricity or the impairment of financial systems through interference with ICT networks is a reality; these events constitute national security threats. Malicious online agents are numerous, organized and of diverse persuasions: political, criminal, terrorist, hacktivist. The tools at their disposal become more sophisticated and complex over time and with experience; the growing number of connected platforms only serves to offer new attack vectors. There is no going back to simpler times. In embracing technological progress, cybersecurity must form an integral and indivisible part of that process. Unfortunately, cybersecurity is not yet at the core of many national and industrial technology strategies. Although cybersecurity efforts are numerous, they are eclectic and dispersed. Differences in internet penetration, technological development, private sector dynamics, government strategies, means that cybersecurity is emerging from a bottom up approach; a natural occurrence where disparities exist between nation states, public and private sectors, and across industries. In essence however, a global culture of cybersecurity can be more successfully initiated from the top down. Information sharing and cooperation are key to tackling cross-border threats. Such elements require a certain measure of organization in a multitude of disciplines: legal, technical, educational. While a particular country or a specific sector will have developed and adopted a highly effective cybersecurity framework, the knowledge is rarely shared outside of that circle.
Transcript

Conceptual Framework

Information and communication technologies (ICT) are the driving force behind the evolution of modern

societies. They underpin the social, economic and political growth of individuals, organizations and

governments alike. ICTs have become not only ubiquitous, but essential for progress. Smart devices,

M2M communications and cloud-based services, among many other technologies, are advancing the

next-generation of networked societies. Digital technology and internet connectivity are being

systematically integrated into all verticals of the private and public sectors because they offer significant

advantages: productivity, speed, cost-reduction and flexibility. As a result, ICTs are progressively being

deployed in new platforms, such as retail RFID systems and vehicular telematics for example. But more

significantly, they are being used to upgrade critical infrastructures, including energy grids, transport

networks and healthcare systems.

Cybersecurity is paramount for sustaining a technologically-sound model. The disruption of electricity or

the impairment of financial systems through interference with ICT networks is a reality; these events

constitute national security threats. Malicious online agents are numerous, organized and of diverse

persuasions: political, criminal, terrorist, hacktivist. The tools at their disposal become more

sophisticated and complex over time and with experience; the growing number of connected platforms

only serves to offer new attack vectors. There is no going back to simpler times. In embracing

technological progress, cybersecurity must form an integral and indivisible part of that process.

Unfortunately, cybersecurity is not yet at the core of many national and industrial technology strategies.

Although cybersecurity efforts are numerous, they are eclectic and dispersed. Differences in internet

penetration, technological development, private sector dynamics, government strategies, means that

cybersecurity is emerging from a bottom up approach; a natural occurrence where disparities exist

between nation states, public and private sectors, and across industries. In essence however, a global

culture of cybersecurity can be more successfully initiated from the top down. Information sharing and

cooperation are key to tackling cross-border threats. Such elements require a certain measure of

organization in a multitude of disciplines: legal, technical, educational. While a particular country or a

specific sector will have developed and adopted a highly effective cybersecurity framework, the

knowledge is rarely shared outside of that circle.

2

The primary obstacle is that cybersecurity is a sensitive issue, whether from a government or private

sector perspective. Admission of vulnerabilities can be seen as a weakness. This is a barrier to the

discussion and sharing of threat information and best practices. Yet security through obscurity is not a

viable defense model against modern cyber threats. The answer is to implement cybersecurity

mechanisms in all layers of society. However, the drive and the incentive to do so are inadequate, either

due to cost constraints or simply lack of awareness. A first step towards remedying the situation lies in

comparing cybersecurity capabilities of nation states and publishing an effective ranking of their status.

A ranking system would reveal shortcomings and motivate states to intensify their efforts in

cybersecurity. It is only through comparison that the real value of a nation’s cybersecurity capability can

truly be weighed.

The Global Cybersecurity Index (GCI) project aims to effectively measure each nation state’s level of

cybersecurity development. The ultimate goal is to help foster a global culture of cybersecurity and its

integration at the core of information and communication technologies. The project has been launched

by the International Telecommunication Union (ITU) and private sector company ABI Research. The GCI

project finds its basis in the current mandate of the ITU and the related projects and activities of the

ITU’s Telecommunication Development Bureau, the BDT.

The ITU is the lead facilitator for WSIS (World Summit on the Information Society) Action Line C5 for

assisting stakeholders in building confidence and security in the use of ICTs at national, regional and

international levels. The ITU’s mandate in cybersecurity is further supported by Resolution 69 on the

“Creation of national computer incident response teams, particularly for developing countries, and

cooperation between them” adopted at the fifth World Telecommunication Development Conference

(WTDC-10) and by Resolution 130 (Guadalajara, 2010) on “Strengthening the role of ITU in building

confidence and security in the use of information and communication technologies”. In this framework,

the Global Cybersecurity Agenda (GCA) was launched by the ITU Secretary-General as ITU’s framework

for international multi-stakeholder cooperation towards a safer and more secure information society,

and focuses on the following five work areas:

• Legal Measures

• Technical Measures

• Organizational Measures

• Capacity Building

• Cooperation.

These five designated areas will form the basis of the indicators for the GCI. These five indicators are

critical to measuring national capabilities in cybersecurity because they form the inherent building

blocks of a national culture. Cybersecurity has a field of application that cuts across all industries, all

sectors, both vertically and horizontally. Enabling the development of national capabilities therefore

requires investment by political, economic and social forces. This can be done by law enforcement and

justice departments, educational institutions and ministries, private sector operators and developers of

technology, public-private partnerships and intra-state cooperation.

3

The long-term aim is to drive further efforts in the adoption and integration of cybersecurity on a global

scale. A comparison of national cybersecurity strategies will reveal those states with high rankings in

specific areas, and consequently expose lesser-known yet successful cybersecurity strategies. This can

prompt increased information sharing on deploying cybersecurity for those states at different levels of

development as well. By measuring the level of cybersecurity preparedness in various areas, the index

will allow states to assess where they are on a scale of development, where they need to make further

improvements and how far they are from implementing an acceptable level of cybersecurity. All states

are moving towards a more digitized and connected environment, and adopting cybersecurity early on

can enable the deployment of more secure and resilient infrastructure in the long term.

The GCI project will be a joint effort between the BDT, specifically the Cybersecurity and ICT applications

Division (CYB) and ABI Research. CYB will act as focal point and owner of the project, and ABI Research

will bring in its core skill sets in strategy development, competitive intelligence, business planning,

technology assessment, and industry benchmarking for the realization of the project. ABI Research is a

market intelligence company specializing in global technology markets through quantitative forecasting

and analysis of key metrics and trends. Uniquely competent in providing forward-looking insight and

actionable, timely, real-world data points in the technology sector, ABI Research will bring its expertise

for the timely development and production of a reliable index. Under the arrangement, ITU and ABI

Research aim to:

• Identify performance metrics;

• Develop a global ranking mechanism;

• Research and collect data on nation states’ cybersecurity capabilities;

• Contact and liaise with nation states and relevant organizations;

• Identify and insert the relevant data in the index;

• Publish a global cybersecurity index.

4

Categories and Performance Indicators The GCI will be a benchmark ranking measuring the cybersecurity development capabilities of sovereign

nation states. The index is essentially a composite indicator, aggregating a number of individual

indicators. The process of cybersecurity development can be analyzed within five important broad

categories. The following indicators and sub-groups have been identified, and nations will be ranked

against the benchmark provided in each indicator.

1. Legal Measures Legislation is a critical measure for providing a harmonized framework for entities to align themselves to

a common regulatory basis, whether on the matter of prohibition of specified criminal conduct or

minimum regulatory requirements. Legal measures also allow a nation state to set down the basic

response mechanisms to breach: through investigation and prosecution of crimes and the imposition of

sanctions for non-compliance or breach of law. A legislative framework sets the minimum standards of

behavior across the board, applicable to all, and on which further cybersecurity capabilities can be built.

Ultimately, the goal is to enable all nation states to have adequate legislation in place in order to

harmonize practices supranationally and offer a setting for interoperable measures, facilitating

international combat against cybercrime.

The legal environment can be measured based on the existence and number of legal institutions and

frameworks dealing with cybersecurity and cybercrime. The sub-group is composed of the following

performance indicators:

A. Criminal Legislation

Cybercrime legislation designates laws on the unauthorized (without right) access, interference,

interception of computers, systems and data. The laws can be ranked by level: none, partial or

comprehensive. Partial legislation refers to the simple insertion of computer-related wording in an

existing criminal law or code, with language limited to extending for example fraud or forgery, or

surveillance and theft to cyberspace. Comprehensive legislation refers to the enactment of a dedicated

law or act dealing with the specific aspects of computer crime (i.e. the UK Computer Misuse Act 1990).

This category can include partial legislation where the case law or jurisprudence is extensively

developed. Please specify the types of laws and regulations and whether there are none or whether

they are partial or comprehensive.

B. Regulation & Compliance

Cybersecurity regulation designates laws dealing with data protection, breach notification and

certification/standardization requirements. The laws can be ranked by level: none, partial or

comprehensive. Partial regulation refers to the insertion of computer-related wording in existing or new

criminal or civil law, so that the law extends applicability to cyberspace in regulation not specifically or

uniquely related to cybersecurity (i.e. the EU Directive 95/46/EC on the protection of individuals with

regard to the processing of personal data and on the free movement of such data). Comprehensive

regulation refers to the enactment of a dedicated law, act or directive requiring cybersecurity

compliance (i.e. the US Federal Information Security Management Act 2002). Please specify the types of

laws and regulations and whether there are none or whether they are partial or comprehensive.

5

2. Technical Measures Technology is the first line of defense against cyberthreats and malicious online agents. Without

adequate technical measures and the capabilities to detect and respond to cyberattacks, nation states

and their respective entities remain vulnerable to cyberthreats. The emergence and success of ICTs can

only truly prosper in a climate of trust and security. Nation states therefore need to be capable of

developing strategies for the establishment of accepted minimum security criteria and accreditation

schemes for software applications and systems. These efforts need to be accompanied by the creation

of a national entity focused on dealing with cyber incidents at a national level, at the very least with a

responsible government agency and with an accompanying national framework for watch, warning and

incident response.

Technical measures can be measured based on the existence and number of technical institutions and

frameworks dealing with cybersecurity endorsed or created by the nation state. The sub-group is

composed of the following performance indicators:

A. CERT/CIRT/CSIRT

The establishment of a national CIRT (Computer Incident Response Team), CERT (Computer Emergency

Response Team) or CSIRT (Computer Security incident Response Team) which provides the capabilities

to identify, defend, respond and manage cyber threats and enhance cyberspace security in the nation

state. This ability needs to be coupled with the gathering of its own intelligence instead of relying on

secondary reporting of security incidents whether from the CIRT’s constituencies or from other sources.

Please specify the names and number of officially approved national or sector-specific* CERT or CSIRT

teams, and whether they are legally mandated or not. The level of development will be ranked based on

if there are any national teams and whether they are legally mandated or not.

B. Standards

This indicator measures the existence of a government-approved (or endorsed) framework (or

frameworks) for the implementation of internationally recognized cybersecurity standards within the

public sector (government agencies) and within the critical infrastructure (even if operated by the

private sector). These standards include, but are not limited to those developed by the following

agencies: ISO, ITU, IETF, IEEE, ATIS, OASIS, 3GPP, 3GPP2, IAB, ISOC, ISG, ISI, ETSI, ISF, RFC, ISA, IEC, NERC,

NIST, FIPS, PCI DSS, etc. Please specify any officially-approved national (and sector specific) frameworks

for implementing internationally recognized cybersecurity standards.

C. Certification

This indicator measures the existence of a government-approved (or endorsed) framework (or

frameworks) for the certification and accreditation of national (government) agencies and public sector

professionals by internationally recognized cybersecurity standards. These certifications, accreditations

and standards include, but are not limited to, the following: Cloud Security knowledge (Cloud Security

Alliance), CISSP, SSCP, CSSLP CBK, Cybersecurity Forensic Analyst (ISC²), GIAC, GIAC GSSP (SANS), CISM,

CISA, CRISC (ISACA), CompTIA, C|CISO, CEH, ECSA, CHFI (EC Council), OSSTMM (ISECOM), PCIP/CCISP

(Critical Infrastructure Institute), (No Suggestions) Certification, Q/ISP, Software Security Engineering

Certification (Security University), CPP, PSP, PCI (ASIS), LPQ, LPC (Loss Prevention Institute, CFE

(Association of Certified Fraud Examiners), CERT-Certified Computer Security Incident Handler (SEI),

6

CITRMS (Institute of Consumer Financial Education), CSFA (Cybersecurity Institute), CIPP (IAPP), ABCP,

CBCP, MBCP (DRI), BCCP, BCCS, BCCE, DRCS, DRCE (BCM), CIA, CCSA (Institute of Internal Auditors),

(Professional Risk Managers International Association), PMP (Project Management Institute), etc. Please

specify any officially approved national (and sector specific) frameworks for the certification and

accreditation of national agencies and public sector professionals.

3. Organizational Measures Organization and procedural measures are necessary for the proper implementation of any type of

national initiative. A broad strategic objective needs to be set by the nation state, with a comprehensive

plan in implementation, delivery and measurement. Structures such as national agencies need to put in

place in order to put the strategy into effect and evaluate the success or failure of the plan. Without a

national strategy, governance model and supervisory body, efforts in different sectors and industries

become disparate and unconnected, thwarting efforts to reach national harmonization in terms of

cybersecurity capability development.

The organizational structures can be measured based on the existence and number of institutions and

strategies organizing cybersecurity development at the national level. The creation of effective

organizational structures is necessary for promoting cybersecurity, combating cybercrime and

promoting the role of watch, warning and incident response to ensure intra-agency, cross-sector and

cross-border coordination between new and existing initiatives. The sub-group is composed of the

following performance indicators:

A. Policy

The development of a policy to promote cybersecurity is recognized as a top priority. A national strategy

for Security of Network and Information Systems should maintain resilient and reliable information

infrastructure and aim to ensure the safety of citizens; protect the material and intellectual assets of

citizens, organizations and the State; prevent cyber-attacks against critical infrastructures; and minimize

damage and recovery times from cyber-attacks. Policies on National Cybersecurity Strategies or National

Plans for the Protection of Information Infrastructures are those officially defined and endorsed by a

nation sate, and can include the following commitments: establishing clear responsibility for

cybersecurity at all levels of government (local, regional and federal or national), with clearly defined

roles and responsibilities; making a clear commitment to cybersecurity, which is public and transparent;

encouraging private sector involvement and partnership in government-led initiatives to promote

cybersecurity. Please specify any officially recognized national or sector-specific cybersecurity strategy.

B. Roadmap for Governance

A roadmap for governance in cybersecurity is generally established by a national strategy /policy for

cybersecurity, and identifies key stakeholders. The development of a national policy framework is a top

priority in developing high-level governance for cybersecurity. The national policy framework must take

into account the needs of national critical information infrastructure protection. It should also seek to

foster information-sharing within the public sector, and also between the public and private sectors.

Cybersecurity governance should be built on a national framework addressing challenges and other

information security and network security issues at the national level, which could include: national

strategy and policy; legal foundations for transposing security laws into networked and online

7

environments; involvement of all stakeholders; developing a culture for cybersecurity; procedures for

addressing ICT security breaches and incident-handling (reporting, information sharing, alerts

management, justice and police collaboration); effective implementation of the national cybersecurity

policy; cybersecurity programme control, evaluation, validation and optimization. Please specify any

officially recognized national or sector-specific governance roadmap for cybersecurity.

C. Responsible Agency

A responsible agency for implementing a national cybersecurity strategy/policy can include permanent

committees, official working groups, advisory councils or cross-disciplinary centers. Most national

agencies will be directly responsible for watch and warning systems and incident response, and for the

development of organizational structures needed for coordinating responses to cyber-attacks. Please

specify any officially recognized national or sector-specific cybersecurity agency.

D. National Benchmarking

This indicator measures the existence of any officially recognized national or sector-specific

benchmarking exercises or referential used to measure cybersecurity development. For example, based

on ISO/IEC 27002-2005, a national cybersecurity standard (NCSec Referential) can help nation states

respond to specify cybersecurity requirements. This referential is split into five domains: NCSec Strategy

and Policies; NCSec Organizational Structures; NCSec Implementation; National Coordination;

Cybersecurity Awareness Activities. Please specify any officially recognized national or sector-specific

benchmarking exercises or referential used to measure cybersecurity development.

4. Capacity Building Capacity building is intrinsic to the first three measures (legal, technical and organizational).

Understanding the technology, the risk and the implications can help to develop better legislation,

better policies and strategies, and better organization as to the various roles and responsibilities.

Cybersecurity is a relatively new area, not much older than the internet itself. This area of study is most

often tackled from a technological perspective; yet there are numerous socio-economic and political

implications that have applicability in this area. Human and institutional capacity building is necessary to

enhance knowledge and know-how across sectors, to apply the most appropriate solutions, and

promote the development of the most competent professionals.

A capacity building framework for promoting cybersecurity should include awareness-raising and the

availability of resources. Capacity building can be measured based on the existence and number of

research and development, education and training programs, and certified professionals and public

sector agencies. The sub-group is composed of the following performance indicators:

A. Standardization Development

Standardization is a good indicator of the level of maturity of a technology, and the emergence of new

standards in key areas underlines the vital importance of standards. Although cybersecurity has always

been an issue for national security and treated differently in different countries, common approaches

are supported by commonly recognized standards. These standards include, but are not limited to those

developed by the following agencies: ISO, ITU, IETF, IEEE, ATIS, OASIS, 3GPP, 3GPP2, IAB, ISOC, ISG, ISI,

ETSI, ISF, RFC, ISA, IEC, NERC, NIST, FIPS, PCI DSS, etc. Please specify any officially recognized national or

8

sector-specific research and development (R&D) programs/projects for cybersecurity standards, best

practices and guidelines to be applied in either the private or the public sector.

B. Manpower Development

Manpower development should include efforts by nation states to promote widespread publicity

campaigns to reach as many people as possible as well as making use of NGOs, institutions,

organizations, ISPs, libraries, local trade organizations, community centers, computer stores, community

colleges and adult education programmes, schools and parent-teacher organizations to get the message

across about safe cyber-behavior online. This includes actions such as setting up portals and websites to

promote awareness, disseminating support material for educators and establishing (or incentivizing)

professional training courses and education programs. Please specify any officially recognized national

or sector-specific educational and professional training programs for raising awareness with the general

public (i.e. national cybersecurity awareness day, week, or month), promoting cybersecurity courses in

higher education (technical, social sciences, etc.) and promoting certification of professionals in either

the public or the private sector.

C. Professional Certification

This performance indicator can be measured by the number of public sector professionals certified

under internationally recognized certification programs standards including, but not limited to, the

following: Cloud Security knowledge (Cloud Security Alliance), CISSP, SSCP, CSSLP CBK, Cybersecurity

Forensic Analyst (ISC²), GIAC, GIAC GSSP (SANS), CISM, CISA, CRISC (ISACA), CompTIA, C|CISO, CEH,

ECSA, CHFI (EC Council), OSSTMM (ISECOM), PCIP/CCISP (Critical Infrastructure Institute), (No

Suggestions) Certification, Q/ISP, Software Security Engineering Certification (Security University), CPP,

PSP, PCI (ASIS), LPQ, LPC (Loss Prevention Institute, CFE (Association of Certified Fraud Examiners), CERT-

Certified Computer Security Incident Handler (SEI), CITRMS (Institute of Consumer Financial Education),

CSFA (Cybersecurity Institute), CIPP (IAPP), ABCP, CBCP, MBCP (DRI), BCCP, BCCS, BCCE, DRCS, DRCE

(BCM), CIA, CCSA (Institute of Internal Auditors), (Professional Risk Managers International Association),

PMP (Project Management Institute), etc. Please specify the number of public sector professionals

certified under internationally recognized certification programs.

D. Agency Certification

This performance indicator can be measured by the number of certified government and public sector

agencies certified under internationally recognized standards. These standards include, but are not

limited to those developed by the following agencies: ISO, ITU, IETF, IEEE, ATIS, OASIS, 3GPP, 3GPP2,

IAB, ISOC, ISG, ISI, ETSI, ISF, RFC, ISA, IEC, NERC, NIST, FIPS, PCI DSS, etc. Please specify the number of

certified government and public sector agencies certified under internationally recognized standards.

5. Cooperation Cybersecurity requires input from all sectors and disciplines and for this reason needs to be tackled from

a multi-stakeholder approach. Cooperation enhances dialogue and coordination, enabling the creation

of a more comprehensive cybersecurity field of application. Information sharing is difficult at best

between different disciplines, and within private sector operators. It becomes increasingly so at the

international level. However, the cybercrime problem is one of a global nature and is blind to national

borders or sectoral distinctions. Cooperation enables sharing of threat information, attack scenarios and

9

best practices in response and defense. Greater cooperative initiatives can enable the development of

much stronger cybersecurity capabilities, helping to deter repeated and persistent online threats, and

enable better investigation, apprehension and prosecution of malicious agents.

National and international cooperation can be measured based on the existence and number of

partnerships, cooperative frameworks and information sharing networks. The sub-group is composed of

the following performance indicators:

A. Intra-state Cooperation

Intra-state cooperation refers to any officially recognized national or sector-specific partnerships for

sharing cybersecurity assets across borders with other nation states (i.e. signed bi-lateral or multi-lateral

partnerships for the cooperation or exchange of information, expertise, technology and/or resources).

Intra-state cooperation also includes regional level initiatives such as (but not limited to) those

implemented by the European Union, the Council of Europe, the G8 Group of States, Asian Pacific

Economic Cooperation (APEC), Organization of American States (OAS), the Association of South East

Asian Nations (ASEAN), the Arab League, the African Union, the Shanghai Cooperation Organization

(SCO) and Network Operations Groups (NOG), etc. Please specify any officially recognized national or

sector-specific partnerships for sharing cybersecurity assets across borders with other nation states.

B. Intra-agency Cooperation

Intra-agency cooperation refers to any officially recognized national or sector-specific programs for

sharing cybersecurity assets (people, processes, tools) within the public sector (i.e. official partnerships

for the cooperation or exchange of information, expertise, technology and/or resources between

departments and agencies). This includes initiatives and programs between different sectors (law

enforcement, military, healthcare, transport, energy, waste and water management, etc.) as well as

within departments/ministries (federal/local government, human resources, IT service desk, PR, etc.).

Please specify any officially recognized national or sector-specific programs for sharing cybersecurity

assets within the public sector.

C. Public-Private Partnerships

Public-private partnerships (PPP) refer to ventures between the public and private sector. This

performance indicator can be measured by the number of officially recognized national or sector-

specific PPPs for sharing cybersecurity assets (people, processes, tools) between the public and private

sector (i.e. official partnerships for the cooperation or exchange of information, expertise, technology

and/or resources). Please specify any officially recognized national or sector-specific programs for

sharing cybersecurity assets between the public and private sector.

D. International Cooperation

This performance indicator refers to any officially recognized participation in international cybersecurity

platforms and forums. Such cooperative initiatives include those undertaken by (but not limited to):

United Nations General Assembly; International Telecommunication Union (ITU); Interpol / Europol; The

Organisation for Economic Cooperation and Development (OECD); UN Organizations on Drug and Crime

Problems (UNODC); UN Interregional Crime and Justice Research Institute (UNICRI); Internet

Corporation for Assigned Names and Numbers (ICANN); International Organization for Standardization

10

(ISO); The International Electrotechnical Commission (IEC); Internet Engineering Task Force; FIRST

(Forum of Incident Response and Security Teams). Please specify any officially recognized participation

in regional and/or/ international cybersecurity platforms and forums.

11

Methodology The statistical model used will be based on a Multi-Criteria Analysis (MCA). The MCA establishes

preferences between options by reference to an explicit set of identified objectives and for which there

are established measurable criteria to assess the extent to which the objectives have been achieved. A

simple linear additive evaluation model will be applied. The MCA performance matrix describes the

options and each column describes the performance of the options against each criterion. The individual

performance assessment is numerical.

The benchmark scoring will be based on the indicators below, each of which is weighted equally

(although the weighting for the sub-categories will be slightly higher than others since some contain

more sub-groups). 0 points are allocated where there are no activities; 1 point is allocation for partial

action; and 2 points for more comprehensive action. Total points allocated for each category are:

1. Legal Measures 4 A. Criminal Legislation 2 B. Regulation & Compliance. 2 2. Technical Measures 6 A. CERT/CIRT/CSIRT 2 B. Standards 2 C. Certification 2 3. Organizational Measures 8 A. Policy 2 B. Roadmap for Governance 2 C. Responsible Agency 2 D. National Benchmarking 2 4. Capacity building 8 A. Standardization Development 2 B. Manpower Development 2 C. Professional Certification 2 D. Agency Certification 2 5. Cooperation 8 A. Intra-state Cooperation 2 B. Intra-agency Cooperation 2 C. Public-Private Partnerships 2 D. International Cooperation 2

Notation:

12

Value of the individual indicator q for country c, with q=1,...,Q and c=1,...,M.

Normalized value of individual indicator q for country c

Value of the composite indicator for country c

The benchmark used will be the score of the hypothetical country that maximizes the overall readiness

(34) points. The resulting composite index will range between zero (worst possible readiness) and 1 (the

benchmark):

The normalization technique will be based on a ranking method:

)

13

The resulting ranking will be categorized into a tiered classification to allow countries to determine

which areas need to be improved on and further developed in order to fulfill the minimum criteria for

ascent into the next tier:

Tier 1: High-Level Cybersecurity Readiness Minimum 29 points

Legal Minimum 3 points

Technical Minimum 5 points

Organization Minimum 7 points

Capacity Minimum 7 points

Cooperation Minimum 7 points

Tier 2: Intermediary-Level Cybersecurity Readiness

Between 17-29 points

Legal Between 2-3 points

Technical Between 3-5 points

Organization Between 4-7 points

Capacity Between 4-7 points

Cooperation Between 4-7 points

Tier 3: Low Level Cybersecurity Readiness

Less than 17 points

Legal Less than 2 points

Technical Less than 3 points

Organization Less than 4 points

Capacity Less than 4 points

Cooperation Less than 4 points

Impact The long-term aim of the GCI is to drive further efforts in the adoption and integration of cybersecurity

on a global scale. A comparison of national cybersecurity strategies will reveal those states with high

rankings in specific areas, and consequently expose lesser-known yet successful cybersecurity strategies.

This can prompt increased information sharing on deploying cybersecurity for those states at different

levels of development as well. By measuring the level of cybersecurity preparedness in various areas,

the index will allow states to assess where they are on a scale of development, where they need to

make further improvements and how far they are from implementing an acceptable level of

cybersecurity. All states are moving towards a more digitized and connected environment, and adopting

cybersecurity early on can enable the deployment of more secure and resilient infrastructure.


Recommended